CN115022282A - Novel domain name generation model establishment and application - Google Patents

Novel domain name generation model establishment and application Download PDF

Info

Publication number
CN115022282A
CN115022282A CN202210628322.5A CN202210628322A CN115022282A CN 115022282 A CN115022282 A CN 115022282A CN 202210628322 A CN202210628322 A CN 202210628322A CN 115022282 A CN115022282 A CN 115022282A
Authority
CN
China
Prior art keywords
domain name
generator
server
domain
zombie host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210628322.5A
Other languages
Chinese (zh)
Other versions
CN115022282B (en
Inventor
单小洋
赵来平
聂力海
曲雯毓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University
Original Assignee
Tianjin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University filed Critical Tianjin University
Priority to CN202210628322.5A priority Critical patent/CN115022282B/en
Publication of CN115022282A publication Critical patent/CN115022282A/en
Application granted granted Critical
Publication of CN115022282B publication Critical patent/CN115022282B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • H04L61/3015Name registration, generation or assignment
    • H04L61/3025Domain name generation or assignment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses establishment and application of a novel domain name generation model, which comprises the following steps: the domain name generator synthesizes domain name information to be updated to obtain a domain name task input domain name system; the domain name system judges the domain name task and feeds back the currently successfully registered domain name label input optimizer in a forward direction; the optimizer calculates and outputs an updating gradient parameter theta to the domain name label by a strategy gradient method and inputs the updating gradient parameter theta into the generator; the domain name generator repeats the steps until the generator converges, the invention solves the problem that the domain name generation algorithm in the existing botnet has unbalanced detection resistance and practicability, and simultaneously realizes high detection resistance and high practicability of the domain name generation algorithm by using a small amount of detector information and a reinforcement learning method.

Description

Novel domain name generation model establishment and application
The technical field is as follows:
the invention belongs to the technical field of network security, and particularly relates to a network domain name generation model and application thereof.
Background art:
the domain name generation algorithm (DGA), by which a large number of domain names (AGDs) are generated and then a portion of them are used for actual command and control (C & C) communications, has been widely adopted by modern botnets. It makes it difficult to track the communications of the C & C servers operated by the attacker, resulting in botnets being able to defend against blacklists and botnet deletions, among other defenses. DGA-enabled botnets may be used for various network attacks such as extortion software, spam activity, and distributed denial of service (DDoS) attacks, among others.
The existing domain name generation algorithms are mainly divided into two categories: a zero-knowledge domain name generation algorithm and a full-knowledge domain name generation algorithm. Zero-knowledge domain name generation algorithms are typically seed-triggered pseudo-random algorithms that pseudo-randomly sample elements from a predefined dictionary (e.g., word lists, alphabet lists, and ASCII tables) and then concatenate the elements into a composite domain name. The DGA has high utility for widespread use in real botnets, but the domain names generated by the DGA have large differences from legitimate domain names in terms of structural, linguistic and statistical characteristics. Evaluation shows that the existing detector can achieve the accuracy of more than or equal to 90 percent in the aspect of identifying the zero knowledge DGA, and the detection resistance is weak. The full knowledge domain name generation algorithm trains a neural network based antagonistic AGD generator by assuming full knowledge of the detector. Although full knowledge DGA improves resistance to detection, the strong assumptions made for a full knowledge detector make it difficult to apply in the real world. In particular, if the detector architecture and its model parameters are not available, the antagonistic DGA cannot be obtained.
Disclosure of Invention
The invention aims to solve the problem that the domain name generation algorithm in the existing botnet is unbalanced in detection resistance and practicability, and simultaneously realizes high detection resistance and high practicability of the domain name generation algorithm by using a small amount of detector information and a reinforcement learning method.
The invention is realized by adopting the following technical scheme:
a novel domain name generation model establishment method comprises the following steps:
the domain name generator synthesizes domain name information to be updated to obtain a domain name task input domain name system;
the domain name system judges the domain name task and feeds back the currently successfully registered domain name label input optimizer in a forward direction;
the optimizer calculates and outputs an updating gradient parameter theta to the domain name label by a strategy gradient method and inputs the updating gradient parameter theta into the generator;
namely:
Figure BDA0003678782090000011
wherein J (θ) is the optimization objective with strategic gradients; r is the learning rate;
the domain name generator repeats the above steps until the generator converges.
Further, the domain name generator synthesizes the domain name information to be updated to obtain a domain name task process: the domain name generator has an initial state s 1 According to
Figure BDA0003678782090000012
Generating a first sequence of symbols y 1 And is composed of t+1 =[s t ,y t ]Obtain the next state s 2
Repeating the above process until T sequence symbols are generated and connected to generate a new domain name;
the domain name system judges and feeds back the domain name task in the forward direction according to the following formula
Figure BDA0003678782090000021
Wherein:
Figure BDA0003678782090000022
denotes from s 1 Begin to follow strategy pi θ The generated complete domain name optimizes the target J (theta) by using the gradient of the strategy, namely, the parameter theta of the strategy is updated by the gradient on the J (theta).
The invention can also be implemented by adopting the following technical scheme:
the application of the novel domain name generation model comprises the following steps:
replacing a domain name generation algorithm module of malicious software in an application network with the trained domain name generator to obtain the domain name;
respectively deploying malicious software with a domain name generator on a control and command (C & C) server and a zombie host in an email sending mode;
simultaneously operating a domain name generator on the C & C server and a zombie host and generating the same domain name list;
the C & C server randomly selects a domain name from the generated domain name list and registers the domain name and the IP address of the C & C server to a domain name system; if the registration fails, the server selects a new candidate domain name for registration until the registration is successful, which indicates that the domain name is registered or that the domain name is considered as a malicious domain name;
the zombie host needs to know the IP address of the zombie host in order to establish communication with the C & C server, and resolves the domain names in the domain name list one by one until the domain name is resolved successfully and returns to the IP address of the server;
the zombie host establishes communication with the server by using the IP address of the server;
the server receives the message from the zombie host and sends an attack instruction to the zombie host, so that the zombie host can launch a DDoS attack means.
Advantageous effects
In order to conceal the communication of botnet, the existing attacker provides a plurality of different domain name generation algorithms which can be roughly divided into two types, one type is a zero-knowledge domain name generation algorithm without a detector framework and model parameters thereof, and the other type is a fully-known domain name generation algorithm requiring all information of a detector to be trained. While these approaches may provide some degree of privacy for botnet communications, they all have their own drawbacks. In order to make up for the defects of the scheme, the invention provides the domain name generation method which can carry out reinforcement learning training only by the feedback information of the detector. Has certain effect in the aspects of detectability and practicability.
Compared with the prior work, the invention proves that the high practicability and the high reverse detection capability of the domain name generation algorithm can be realized simultaneously through the reinforcement learning architecture. The new domain name generation model process of the invention is to convert the domain name synthesis task into a symbol sequence generation problem and optimize the problem under the condition of using reinforcement learning. The present invention has been evaluated in detail using a wide range of benign and malicious domain names. The experimental results show that the invention can reduce the AUC (area under the curve) of the most advanced detector from 93.2% to 53.7%.
Description of the drawings:
FIG. 1 is a system architecture diagram of the present invention.
Fig. 2 is a process of generating a symbol sequence based on reinforcement learning.
Fig. 3 is a schematic diagram of the training of the present invention.
The specific implementation mode is as follows:
the invention mainly aims to improve the anti-detection capability of the generated domain name by designing a new domain name generation algorithm. According to the system architecture diagram of the first figure, the invention designs a domain name generator. The domain name generation and generator update process of the domain name generator is described in detail below with reference to the accompanying drawings and specific examples.
The invention provides a network domain name generator, which improves the anti-detection capability of a domain name, particularly adopts a reinforcement learning framework to maximize rewards obtained from instant feedback of a detector and explores an optimal domain name generation algorithm. Fig. 1 highlights the overall architecture of the domain name generator, including two phases: model training and domain name streaming.
Model training: the training model obtains the domain name generator, which mainly relies on the feedback of the detector to update the generator model. The model training process mainly comprises four steps:
1. the generator receives a seed (e.g., current time, microblog popularity, etc.) to generate a domain name.
2. The generator registers the domain name from a Domain Name System (DNS) and rewards the identification of the current domain name with the domain name label fed back by the DNS. Specifically, if the domain name registration is successful, the domain name label fed back by the DNS is 0, and the generator receives a forward feedback indicating that the generated domain name can perform domain name streaming. If the domain name label fed back by the DNS is 1, the queried domain name is indicated as an illegal domain name.
3. Given the feedback rewards given by the goal detector, a set of gradients is derived by the optimizer and the generator model is updated with the set of gradients.
4. The above steps are repeated until the generator converges.
Domain name flowing: integrating the domain name generator into malware launches the attack. The domain name flowing process mainly comprises 8 steps:
the method comprises the following steps: the domain name generation algorithm module of malware (e.g., trojan or worm) is first replaced with a trained domain name generator.
(III): and respectively deploying malicious software with a domain name generator on a control and command (C & C) server and a zombie host by methods such as mail sending and the like.
Fourthly, fifth: the C & C server and zombie hosts run the domain name generator simultaneously and produce the same domain name list.
Sixthly, the method comprises the following steps: the C & C server randomly selects a domain name from the generated domain name list and registers the domain name and the IP address of the C & C server in the DNS. If the registration fails, indicating that the domain name is registered or the DNS determines the domain name to be a malicious domain name, the server selects a new candidate domain name for registration until the registration is successful.
Seventhly: zombie hosts need to know their IP addresses in order to establish communication with the C & C server, and they need to resolve the domain names in the domain name list one by one until the domain names are resolved successfully and the IP addresses of the servers are returned.
Ninthly: the zombie host establishes communication with the server using the IP address of the server.
R: the server receives the information from the zombie host and sends an attack instruction to the zombie host, so that the zombie host can initiate attack means such as DDoS.
1. Process for generating domain names
The domain name generated by the present invention is actually a set of symbol sequences, and the symbol sequences are generated by a domain name generator as a synthesized domain name. Fig. 2 describes how domain names are generated using a domain name generator. The method mainly comprises two steps: 1. at the beginning, the generator has an initial shapeState s 1 According to
Figure BDA0003678782090000041
Generating a first sequence of symbols y 1 And is composed of t+1 =[s t ,y t ]Obtain the next state s 2 . The above process is then repeated until T sequence symbols are generated and concatenated to generate a new domain name. 2. The domain name generator generates only a part of domain names, three levels of domain names are required to be added at the beginning of the domain names, and top level domain names are added at the end of the domain names, so that a complete domain name can be constructed and can play a role in the subsequent domain name flowing process.
2. Domain name generator update procedure
The present invention updates the domain name generator using a reinforcement learning approach based on policy gradients. Training strategy pi θ In fact belonging to the Natural Language Processing (NLP) task, i.e. predicting the next symbol of the maximum prize from a given/observed symbol sequence. Because of the great success of the Recurrent Neural Network (RNN) in NLP, the present invention adopts RNN model as strategy pi θ The architecture of (1). In particular, the present invention selects LSTM networks because LSTM can avoid gradient explosion or gradient disappearance caused by long symbol sequences. The strategic gradient approach is to make the symbol sequence more resistant to the target detector, requiring the reward of maximizing the detector feedback.
Figure BDA0003678782090000042
Wherein:
Figure BDA0003678782090000043
denotes from s 1 Begin to follow strategy pi θ The generated complete domain name optimizes the target J (theta) by using the gradient of the strategy, namely, the parameter theta of the strategy is updated by the gradient on the J (theta).
Figure BDA0003678782090000044
Where r is the learning rate.
Figure BDA0003678782090000045
Using the likelihood ratio(s) it is,
Figure BDA0003678782090000046
it can be rewritten as,
Figure BDA0003678782090000051
next, the present invention discusses how to derive the two possible cases
Figure BDA0003678782090000052
(1) For the end state s t Can be directly deduced by the following formula,
Figure BDA0003678782090000053
wherein [ s ] T ,a i ]=[y 1 ,…,y T-1 ,a i ]By connecting the current state s T And action a i Representing the complete symbol sequence (i.e., the synthetic domain name).
(2) For intermediate state s t(1≤t<T) Without being able to deduce the symbol sequence s t ,a t ]Because it is an incomplete domain name and therefore cannot be evaluated by the target detector. The present invention relates to the sequence [ s ] t ,a t ]Is estimated as
Figure BDA0003678782090000054
Rather than directly receiving the reward. In particular, given an existing label [ s ] t ,a t ]The present invention estimates m complete domain names by sampling the remaining T-T labels using a MonteClaro search, i.e.
Figure BDA0003678782090000055
Wherein
Figure BDA0003678782090000056
Is with a push-out strategy of pi θ Montecaro search of (A), and
Figure BDA0003678782090000057
is the estimated symbol at time t' in the j-th search. Thus, the return on action in the intermediate state is
Figure BDA0003678782090000058
Where m is a hyperparameter representing the number of MC searches. For clarity, the detailed process of the training strategy is described as in fig. 3.
A Stochastic Gradient Descent (SGD) method was chosen to optimize the tactical gradient-based objective. Before starting the SGD optimizer, we need to initialize two key hyper-parameters: learning rate r and batch size b, which may significantly affect training performance and efficiency. For example, if r is too large, the model may not converge, while a smaller r may significantly reduce the training speed. Thus, the present invention utilizes a grid search to find their best values (as shown in the table).
TABLE 1 Superparameter tuning procedure
Figure BDA0003678782090000059
Figure BDA0003678782090000061
The present invention is not limited to the above-described embodiments. The foregoing description of the specific embodiments is intended to describe and illustrate the technical solutions of the present invention, and the above specific embodiments are merely illustrative and not restrictive. Those skilled in the art can make many changes and modifications to the invention without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (3)

1. The method for establishing the novel domain name generation model is characterized by comprising the following steps of:
the domain name generator synthesizes domain name information to be updated to obtain a domain name task input domain name system;
the domain name system judges the domain name task and feeds back the currently successfully registered domain name label input optimizer in a forward direction;
the optimizer calculates and outputs an updating gradient parameter theta to the domain name label by a strategy gradient method and inputs the updating gradient parameter theta into the generator; namely:
Figure FDA0003678782080000011
wherein J (θ) is the optimization objective with strategic gradients; r is the learning rate;
the domain name generator repeats the above steps until the generator converges.
2. The establishment of the novel domain name generation model according to claim 1, wherein the domain name generator synthesizes the domain name information to be updated to obtain the domain name task process:
the domain name generator has an initial state s 1 According to
Figure FDA0003678782080000012
Generating a first sequence of symbols y 1 And is composed of t+1 =[s t ,y t ]Obtain the next state s 2
Repeating the above process until T sequence symbols are generated and connected to generate a new domain name;
the domain name system judges and feeds back the domain name task in the forward direction according to the following formula
Figure FDA0003678782080000013
Wherein:
Figure FDA0003678782080000014
denotes from s 1 Begin following strategy pi θ The generated complete domain name optimizes the target J (theta) by using the gradient of the strategy, namely, the parameter theta of the strategy is updated by the gradient on the J (theta).
3. The application of the new domain name generation model established in claim 1, comprising the steps of:
replacing a domain name generation algorithm module of malicious software in an application network with the trained domain name generator in the claim 1;
respectively deploying malicious software with a domain name generator on a control and command (C & C) server and a zombie host in an email sending mode;
simultaneously operating a domain name generator on the C & C server and a zombie host and generating the same domain name list;
the C & C server randomly selects a domain name from the generated domain name list and registers the domain name and the IP address of the C & C server to a domain name system; if the registration fails, the server selects a new candidate domain name for registration until the registration is successful, which indicates that the domain name is registered or that the domain name is considered as a malicious domain name;
the zombie host needs to know the IP address of the zombie host in order to establish communication with the C & C server, and resolves the domain names in the domain name list one by one until the domain names are resolved successfully and return to the IP address of the server;
the zombie host establishes communication with the server by using the IP address of the server;
the server receives the message from the zombie host and sends an attack instruction to the zombie host, so that the zombie host can launch a DDoS attack means.
CN202210628322.5A 2022-06-06 2022-06-06 Novel domain name generation model establishment and application Active CN115022282B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210628322.5A CN115022282B (en) 2022-06-06 2022-06-06 Novel domain name generation model establishment and application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210628322.5A CN115022282B (en) 2022-06-06 2022-06-06 Novel domain name generation model establishment and application

Publications (2)

Publication Number Publication Date
CN115022282A true CN115022282A (en) 2022-09-06
CN115022282B CN115022282B (en) 2023-07-21

Family

ID=83073319

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210628322.5A Active CN115022282B (en) 2022-06-06 2022-06-06 Novel domain name generation model establishment and application

Country Status (1)

Country Link
CN (1) CN115022282B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107909153A (en) * 2017-11-24 2018-04-13 天津科技大学 The modelling decision search learning method of confrontation network is generated based on condition
CN109391602A (en) * 2017-08-11 2019-02-26 北京金睛云华科技有限公司 A kind of zombie host detection method
CN109450845A (en) * 2018-09-18 2019-03-08 浙江大学 A kind of algorithm generation malice domain name detection method based on deep neural network
US20200059451A1 (en) * 2018-08-14 2020-02-20 Didi Research America, Llc System and method for detecting generated domain
US20200244621A1 (en) * 2019-01-28 2020-07-30 Go Daddy Operating Company, LLC Training a learning algorithm to suggest domain names
CN111818198A (en) * 2020-09-10 2020-10-23 腾讯科技(深圳)有限公司 Domain name detection method, domain name detection device, equipment and medium
US20200396201A1 (en) * 2018-01-15 2020-12-17 Shenzhen Leagsoft Technology Co., Ltd. C&c domain name analysis-based botnet detection method, device, apparatus and mediumc&c domain name analysis-based botnet detection method, device, apparatus and medium
CN112884130A (en) * 2021-03-16 2021-06-01 浙江工业大学 SeqGAN-based deep reinforcement learning data enhanced defense method and device
CN113709152A (en) * 2021-08-26 2021-11-26 东南大学 Antagonistic domain name generation model with high-resistance detection capability
CN114154550A (en) * 2021-10-12 2022-03-08 清华大学 Domain name countermeasure sample generation method and device
CN114445681A (en) * 2022-01-28 2022-05-06 上海商汤智能科技有限公司 Model training and image recognition method and device, equipment and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109391602A (en) * 2017-08-11 2019-02-26 北京金睛云华科技有限公司 A kind of zombie host detection method
CN107909153A (en) * 2017-11-24 2018-04-13 天津科技大学 The modelling decision search learning method of confrontation network is generated based on condition
US20200396201A1 (en) * 2018-01-15 2020-12-17 Shenzhen Leagsoft Technology Co., Ltd. C&c domain name analysis-based botnet detection method, device, apparatus and mediumc&c domain name analysis-based botnet detection method, device, apparatus and medium
US20200059451A1 (en) * 2018-08-14 2020-02-20 Didi Research America, Llc System and method for detecting generated domain
CN109450845A (en) * 2018-09-18 2019-03-08 浙江大学 A kind of algorithm generation malice domain name detection method based on deep neural network
US20200244621A1 (en) * 2019-01-28 2020-07-30 Go Daddy Operating Company, LLC Training a learning algorithm to suggest domain names
CN111818198A (en) * 2020-09-10 2020-10-23 腾讯科技(深圳)有限公司 Domain name detection method, domain name detection device, equipment and medium
CN112884130A (en) * 2021-03-16 2021-06-01 浙江工业大学 SeqGAN-based deep reinforcement learning data enhanced defense method and device
CN113709152A (en) * 2021-08-26 2021-11-26 东南大学 Antagonistic domain name generation model with high-resistance detection capability
CN114154550A (en) * 2021-10-12 2022-03-08 清华大学 Domain name countermeasure sample generation method and device
CN114445681A (en) * 2022-01-28 2022-05-06 上海商汤智能科技有限公司 Model training and image recognition method and device, equipment and storage medium

Also Published As

Publication number Publication date
CN115022282B (en) 2023-07-21

Similar Documents

Publication Publication Date Title
Popoola et al. Federated deep learning for zero-day botnet attack detection in IoT-edge devices
CN107222491B (en) Intrusion detection rule creating method based on industrial control network variant attack
US20240073220A1 (en) Malicious homoglyphic domain name generation and associated cyber security applications
Xu et al. Defending DDoS attacks using hidden Markov models and cooperative reinforcement learning
Singla et al. How deep learning is making information security more intelligent
CN114363093B (en) Honeypot deployment active defense method based on deep reinforcement learning
Wang et al. Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights
Wang et al. Modeling connections behavior for web-based bots detection
Liang et al. Using deep learning to detect malicious urls
Xie et al. Online anomaly detection based on web usage mining
Yang et al. Detecting DNS covert channels using stacking model
Kesavamoorthy et al. Classification of DDoS attacks–A survey
CN113965393A (en) Botnet detection method based on complex network and graph neural network
Alyasiri et al. Grammatical evolution for detecting cyberattacks in Internet of Things environments
CN115022282B (en) Novel domain name generation model establishment and application
CN112702347A (en) SDN-based intrusion detection technology
Alani Iotprotect: A machine-learning based iot intrusion detection system
Ghosh et al. Using auxiliary inputs in deep learning models for detecting DGA-based domain names
Xuanzhen et al. Application of passive DNS in cyber security
Sinthuja et al. DDoS attack detection using enhanced long-short term memory with hybrid machine learning algorithms
Wan et al. Research on DDoS Attack with Learning Ability Detection in SDN Environment
Awan Pishing attacks in network security
Zhang et al. Construction of two statistical anomaly features for small-sample apt attack traffic classification
Li et al. DNS Tunnel Detection Scheme Based on Machine Learning in Campus Network
US11997109B2 (en) Malicious homoglyphic domain name detection and associated cyber security applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant